b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                Improvements Are Needed to the Information\n                   Security Program Governance Process\n\n\n\n                                          March 11, 2008\n\n                              Reference Number: 2008-20-076\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           March 11, 2008\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Improvements Are Needed to the Information\n                             Security Program Governance Process (Audit # 200620026)\n\n This report presents the results of our review to determine whether the Internal Revenue\n Service (IRS) monitored compliance with security policies and procedures and developed\n sufficient information security guidance. This review was included in the Treasury Inspector\n General for Tax Administration Fiscal Year 2008 Annual Audit Plan and was part of the\n Information Systems Programs unit\xe2\x80\x99s statutory requirements to annually review the adequacy\n and security of IRS technology.\n\n Impact on the Taxpayer\n The IRS is responsible for developing an effective information security governance process\n that complies with Federal Government standards. The IRS could make improvements in\n carrying out two key aspects of this process: (1) monitoring compliance with security policies\n and procedures and (2) issuing security guidance for all employees to follow. Until\n improvements are made, security weaknesses are more likely to occur, and the IRS cannot\n provide assurance that systems containing sensitive taxpayer data are adequately protected from\n security breaches.\n\x0c                  Improvements Are Needed to the Information Security Program\n                                     Governance Process\n\n\n\n\nSynopsis\nThe National Institute for Standards and Technology (NIST)1 identifies techniques that agencies\ncan use to monitor the status of their security programs. The IRS needs to improve its use of\nthese techniques. For example:\n    \xe2\x80\xa2   System owners are required to ensure that corrective actions are taken to resolve security\n        weaknesses. These actions are closed with no assurance provided to IRS executives that\n        the actions were effective.\n    \xe2\x80\xa2   All devices connected to the IRS network are to be scanned quarterly for configuration\n        compliance. Not all devices are included in the scans, and weaknesses were not\n        documented.\n    \xe2\x80\xa2   The IRS is required to semiannually analyze incidents reported, identify common\n        weaknesses, and follow up to ensure that the weaknesses are corrected. The IRS did not\n        always identify the causes of the 1,172 incidents reported in a 1-year period and did not\n        always follow up to ensure that the weaknesses were corrected.\n    \xe2\x80\xa2   Security controls should be tested at least annually to ensure that they are accomplishing\n        their intended purposes. During another audit, we found 15 (75 percent) of 20 systems\n        did not meet basic annual testing requirements.2\n    \xe2\x80\xa2   Analysis of metrics should be a part of the IRS\xe2\x80\x99 monitoring efforts. The IRS is making\n        progress in this area, but its metrics do not yet meet Federal Government requirements.\nWhile the Cybersecurity organization is primarily responsible for monitoring compliance with\nsecurity guidance, the Modernization and Information Technology Services organization and\neach of the business functions are responsible for implementing the guidance. In a bureau as\nlarge and diverse as the IRS, it is difficult for one office to enforce implementation across\norganizational lines. Thus, the IRS has taken insufficient actions to monitor and enforce\ncompliance, resulting in weaknesses that put the security and privacy of taxpayer information at\nrisk.\nThe NIST also provides key elements that agencies should include in their security guidance.\nThe Cybersecurity organization developed guidance that meets standards for 9 of the 12 key\nelements (security areas). However, guidance for the remaining three elements (system\ndevelopment life cycle, capital planning, and security services and products acquisition) did not\n\n\n1\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for\nproviding adequate information security for all Federal Government agency operations and assets.\n2\n  Treasury Inspector General for Tax Administration - Federal Information Security Management Act Report for\nFiscal Year 2007 (Reference Number 2007-20-186, dated September 4, 2007).\n                                                                                                               2\n\x0c                Improvements Are Needed to the Information Security Program\n                                   Governance Process\n\n\n\ninclude all necessary considerations to meet NIST requirements and made references to obsolete\nstandards and controls.\nFor any guidance to be effective, it must be communicated to those who need it. The\nCybersecurity organization needs to make it easier for users to locate security policy guidance on\nits web site, which is the primary source for communicating security requirements. Confusion\ncaused by difficulty in locating guidance increases the likelihood that employees could\nunknowingly create weaknesses that result in security breaches.\n\nRecommendations\nWe recommended the Chief Information Officer, through the Security Services and Privacy\nExecutive Steering Committee, require system owners to regularly report to the Committee on\nprogress in addressing Plans of Action and Milestones items; require the Cybersecurity\norganization to improve the verification of compliance with standard configurations; analyze the\nincidents reported to the Computer Security Incident Response Center to identify common or\nsystemic underlying weaknesses that contributed to these incidents and track corrective actions\nin the appropriate Plan of Action and Milestones; ensure that system owners prepare continuous\nmonitoring plans that implement annual testing of system controls compliant with NIST\nguidance; and develop quantifiable security metrics based on IRS information security goals and\nobjectives and require that the Cybersecurity organization analyze anomalies for root causes and\nreport its results regularly to the Committee.\nTo improve security guidance, we recommended the Associate Chief Information Officer,\nCybersecurity, coordinate with other IRS executives, as appropriate, to include complete\nNIST-compliant security guidance for the three areas that need to be updated; improve the\nCybersecurity organization Intranet web site by maintaining all security procedures in one\nlocation and providing direct links to other Federal Government guidance as necessary; and\ndevelop a system to notify employees and contractors of changes to security guidance.\n\nResponse\nIRS management agreed with our recommendations. The Associate Chief Information Officer,\nCybersecurity, will use a process for monitoring progress on Plans of Action and Milestones,\nconduct scans every 6 weeks to identify noncompliance with security configuration standards,\nprepare quarterly trend reports of security incidents that identify common or systemic\nweaknesses, develop a process for validating system owners\xe2\x80\x99 compliance with the IRS\xe2\x80\x99\ncontinuous monitoring procedures, and develop and analyze quantifiable security metrics. The\nSecurity Services and Privacy Executive Steering Committee will take an active role in\noverseeing these activities and use the results to improve security in the IRS. In addition, the\nAssociate Chief Information Officer, Cybersecurity, will develop guidance for the three areas\n\n                                                                                                   3\n\x0c                Improvements Are Needed to the Information Security Program\n                                   Governance Process\n\n\n\nthat need to be updated, improve the Cybersecurity organization Intranet web site to facilitate\neasy access to security guidance, and develop a system to notify employees and contractors of\nchanges in guidance. Management\xe2\x80\x99s complete response to the draft report is included as\nAppendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                  4\n\x0c                      Improvements Are Needed to the Information Security Program\n                                         Governance Process\n\n\n\n\n                                              Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Improvements Are Needed to Monitor Compliance With Security\n          Policies and Procedures ................................................................................Page 3\n                    Recommendation 1:........................................................Page 8\n\n                    Recommendations 2 through 4:.........................................Page 9\n\n                    Recommendation 5: .................................................................. Page 10\n\n          Information Security Guidance Is Adequate, but Procedures Remain\n          Fragmented and Difficult to Locate..............................................................Page 10\n                    Recommendations 6 through 8:.........................................Page 12\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 14\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 15\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 16\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 17\n\x0c        Improvements Are Needed to the Information Security Program\n                           Governance Process\n\n\n\n\n                       Abbreviations\n\nFISMA            Federal Information Security Management Act\nIRS              Internal Revenue Service\nNIST             National Institute for Standards and Technology\nPOA&M            Plan of Action and Milestones\n\x0c                   Improvements Are Needed to the Information Security Program\n                                      Governance Process\n\n\n\n\n                                             Background\n\nThe Internal Revenue Service (IRS) relies extensively on computer systems to support its\nfinancial and mission-related operations. In Fiscal Year 2006, the IRS collected $2.5 trillion in\ntax payments, processed millions of tax and information returns, and paid about $277 billion in\nrefunds to taxpayers. It also collects and maintains a significant amount of personal and\nfinancial information on each American taxpayer. The confidentiality of this sensitive\ninformation must be protected so that taxpayers are not exposed to loss of privacy and/or to\nfinancial loss and damages resulting from identity theft and other financial crimes.\nCongress and the Office of Management and Budget instituted a number of laws, regulations,\nand directives that govern the establishment and implementation of Federal Government\ninformation security practices. These laws, regulations, and directives establish Federal\nGovernment and agency-level responsibilities for information security, define key information\nsecurity roles and responsibilities, identify minimum information security controls, specify\ncompliance-reporting rules and procedures, and provide other essential requirements and\nguidance. They also provide an infrastructure for developing and promulgating detailed\nstandards and implementation guidance to Federal Government agencies through the National\nInstitute for Standards and Technology (NIST).1\nThe NIST developed the Information Security Handbook (Special Publication 800-100) based on\nlaws and regulations relevant to information security, including the Clinger-Cohen Act of 1996,2\nthe Federal Information Security Management Act (FISMA),3 and Office of Management and\nBudget Circular A-130, Management of Federal Information Resources.4 The purpose of the\nNIST Handbook is to assist managers in establishing and implementing an information security\ngovernance program, in compliance with regulations, that supports the agency mission in a\n\n\n1\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for\nproviding adequate information security for all Federal Government agency operations and assets.\n2\n  (Federal Acquisition Reform Act of 1996) (Information Technology Management Reform Act of 1996),\nPub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C.,\n16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C.,\n44 U.S.C., 49 U.S.C., 50 U.S.C.). The Act requires agencies to use a disciplined capital planning and investment\ncontrol process to acquire, use, maintain, and dispose of information technology resources and to establish a position\nof Chief Information Officer.\n3\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002). The FISMA is the primary legislation governing Federal\nGovernment information security programs, building upon earlier legislation through added emphasis on the\nmanagement dimension of information security.\n4\n  Circular A-130 establishes a minimum set of controls to be included in Federal Government automated\ninformation security programs, assigns Federal Government agency responsibilities for the security of automated\ninformation, and links agency automated information security programs and agency management control systems.\n                                                                                                             Page 1\n\x0c                Improvements Are Needed to the Information Security Program\n                                   Governance Process\n\n\n\ncost-effective manner. The NIST guidance summarizes security responsibilities for key\nexecutives, including the Agency Head, Chief Information Officer, and Senior Agency\nInformation Security Officer.\nFrom October 2003 until July 2007, the IRS Senior Agency Information Security Officer and the\nChief Information Officer led two separate organizations. The IRS Mission Assurance and\nSecurity Services organization was formed in October 2003 to bring together previously separate\nsecurity functions and enable a consistent, unified approach to information security. The Chief,\nMission Assurance and Security Services, carried out the responsibilities of the Senior Agency\nInformation Security Officer. Within the Mission Assurance and Security Services organization,\nthe Information Technology Security Program Office was responsible for interpreting Office of\nManagement and Budget, NIST, FISMA, and Department of the Treasury requirements and for\nestablishing security guidance, tracking compliance, monitoring program implementation, and\nproviding day-to-day support.\nOn July 8, 2007, the IRS dissolved the Mission Assurance and Security Services organization\nand transferred responsibility for computer security to the Modernization and Information\nTechnology Services organization. The Associate Chief Information Officer, Cybersecurity,\nnow performs the role of Senior Agency Information Security Officer and reports to the Chief\nInformation Officer. The Associate Chief Information Officer, Cybersecurity, also leads the\nSecurity Services and Privacy Executive Steering Committee, which is comprised of IRS\nexecutives from all business and functional units and the Modernization and Information\nTechnology Services organization. This Committee serves as the primary governance body for\nall matters relating to security and privacy issues in the IRS. Hereafter, we will refer to the\nCybersecurity organization in this report because the Mission Assurance and Security Services\norganization was dissolved during our review.\nThis review was performed at the office of the Associate Chief Information Officer,\nCybersecurity, in New Carrollton, Maryland, during the period September 2006 through\nDecember 2007. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                          Page 2\n\x0c                Improvements Are Needed to the Information Security Program\n                                   Governance Process\n\n\n\n\n                                 Results of Review\n\nImprovements Are Needed to Monitor Compliance With Security\nPolicies and Procedures\nAn information security governance program requires constant review to be effective.\nAccording to the NIST, agencies should periodically test and evaluate the effectiveness of\ninformation security controls, procedures, and practices. The information technology security\nstaff should monitor the status of security programs to ensure that (1) ongoing security activities\nare providing appropriate support to the agency mission, (2) procedures and controls are current\nand aligned with evolving technologies, (3) and controls are accomplishing their intended\npurpose.\nTo facilitate ongoing monitoring, the NIST provides examples of methods that agencies such as\nthe IRS can use to monitor the status of their security programs. These include:\n   \xe2\x80\xa2   Plan of Action and Milestones (POA&M).\n   \xe2\x80\xa2   Configuration management.\n   \xe2\x80\xa2   Incident and event statistics.\n   \xe2\x80\xa2   Continuous assessment.\n   \xe2\x80\xa2   Measurement and metrics.\nThe office of the Associate Chief Information Officer, Cybersecurity, includes aspects of all\nthese methods as part of its monitoring plan. However, more work needs to be done in each of\nthese areas to ensure that the IRS information security governance program is being effectively\nimplemented. We identified the following concerns with the IRS\xe2\x80\x99 current methods for\nmonitoring compliance with security guidance.\n\nVerification is not obtained to ensure that weaknesses identified in POA&Ms are\nresolved\nThe Office of Management and Budget requires weaknesses identified during security\nassessments to be documented in POA&Ms, which are to be reviewed quarterly. Progress to\ncorrect deficiencies and eliminate known vulnerabilities should be tracked until resolution. The\nPOA&Ms can assist in identifying performance gaps, evaluating an agency\xe2\x80\x99s security\nperformance and efficiency, and conducting oversight.\nQuarterly, the IRS reports to the Department of the Treasury on its total number of POA&M\nweaknesses and the number of weaknesses for which corrective actions have been taken, are\nongoing, or have been delayed, as reported by system owners. However, when system owners\n\n                                                                                             Page 3\n\x0c                   Improvements Are Needed to the Information Security Program\n                                      Governance Process\n\n\n\nreport that they have corrected weaknesses, the Cybersecurity organization does not receive\nsupporting documentation to verify whether the corrective actions have in fact been taken and\nwhether the actions resolved the weaknesses.\nIn March 2007, the Department of the Treasury issued guidance requiring that recently closed\nactions on weaknesses be incorporated into the annual testing plans for the related systems. This\naction should help verify that POA&M items are properly closed.\nWithout verification that weaknesses have been corrected, the Cybersecurity organization cannot\nmonitor progress toward improving the security of IRS systems and the information they process\nand store. Government Accountability Office and Treasury Inspector General for Tax\nAdministration reports continue to describe persistent security weaknesses that place the IRS\nat risk of disruption, fraud, and/or inappropriate disclosure of sensitive information. In\nMarch 2007, the Government Accountability Office reported that the IRS had made only limited\nprogress toward correcting or mitigating previously reported information security weaknesses.5\nFollowup audits have found that, in some cases, corrective actions were taken but did not\neffectively resolve the weaknesses. In at least one instance in Fiscal Year 2007, we found a\npreviously reported condition had been closed off the IRS program-level POA&M, although\ncorrective actions had not been taken.6\n\nVerification of configuration compliance needs to be improved\nThe IRS has standard configurations for most operating systems and devices connected to its\nnetwork. It relies on system administrators located throughout the country to maintain those\nconfigurations. Configuration monitoring is an essential component for identifying potential\nsecurity-related problems in information systems. To identify noncompliance with configuration\nstandards, in October 2005 the Cybersecurity organization implemented a requirement for all\ncomputing devices connected to the IRS network to be scanned quarterly for configuration\ncompliance.\nThe IRS primarily uses two types of scans: vulnerability scans and compliance checkers.\nVulnerability scans are run from a remote scanning system and check systems for a series of\nvulnerabilities based on the SANS Top 20 Vulnerability List.7 The compliance checker tool can\nbe run locally or remotely on target systems and checks the systems for operating system\nconfigurations. Both types of scans are run quarterly.\n\n\n\n5\n  Information Security: Further Efforts Needed to Address Significant Weaknesses at the Internal Revenue Service\n(GAO-07-364, dated March 2007).\n6\n  Insufficient Attention Has Been Given to Ensure States Protect Taxpayer Information (Reference\nNumber 2007-20-134, dated August 31, 2007).\n7\n  The SANS (SysAdmin, Audit, Network, Security) Institute, established in 1989, develops and maintains the largest\ncollection of research documents about various aspects of information security.\n                                                                                                          Page 4\n\x0c                  Improvements Are Needed to the Information Security Program\n                                     Governance Process\n\n\n\nThe decision to perform scans quarterly was a step in the right direction, although some large\norganizations run these scans daily. The Modernization and Information Technology Services\norganization has field office staffs that execute the compliance checker tools on the various IRS\noperating systems. The results of the compliance checker tools are documented in action plans.\nHowever, weaknesses identified during quarterly vulnerability scans were not documented in\nsystem POA&Ms to ensure proper tracking and resolution. Security configuration weaknesses\nthat are not properly tracked may leave the IRS at increased risk of security breaches.\nAlso, not all types of operating systems and network devices are included in the quarterly scans.\nFor example, the IRS only recently acquired a tool to scan databases for compliance with\nstandard configurations. In addition, running the scans quarterly is not frequent enough to ensure\nthat weaknesses are discovered quickly. Furthermore, scans are regularly scheduled and\npredictable, thereby detracting from the reliability of the results for making an accurate\nassessment of the compliance with standard configurations.\nIn our Fiscal Year 2007 FISMA report, we reported that the IRS has security configuration\nguidance but needs to do more to ensure information systems apply common security\nconfigurations.8 In another recent review, we evaluated database configuration controls and\nfound security configurations were not adequately implemented.9 Database security\nconfigurations were poorly communicated, security roles and responsibilities were not assigned\nor carried out, and tests to detect noncompliance with standard configurations were inadequate.\n\nIncident and event statistics were not used to identify potential security\nweaknesses\nIncident statistics are valuable in determining the effectiveness of security guidance. They can\nidentify performance trends and enable security program managers to identify the need to change\ncontrols and procedures. Incident statistics should be monitored for trends and correlated with\nother data sources, including network monitoring, POA&Ms, configuration management,\ntraining and awareness, and other available resources.\nThe Department of the Treasury requires its bureaus to semiannually analyze the incidents\nreported to their Computer Security Incident Response Centers, identify common underlying\nweaknesses that contributed to these incidents, and incorporate them into POA&Ms. Since 2006,\nthese analyses have been due to the Department of the Treasury on May 1 and November 1 of\neach year.\nThe IRS had not completed this analysis prior to our visit in March 2007. Following our visit,\nthe Computer Security Incident Response Center prepared for submission to the Department of\n\n8\n  Treasury Inspector General for Tax Administration - Federal Information Security Management Act Report for\nFiscal Year 2007 (Reference Number 2007-20-186, dated September 4, 2007).\n9\n  Standard Database Security Configurations Are Adequate, Although Much Work Is Needed to Ensure Proper\nImplementation (Reference Number 2007-20-129, dated August 22, 2007).\n                                                                                                        Page 5\n\x0c                Improvements Are Needed to the Information Security Program\n                                   Governance Process\n\n\n\nthe Treasury a response that indicated it had reviewed 1,172 recorded Incident Reports for the\nperiod May 1, 2005, to April 12, 2006. Of those incidents, 584 (50 percent) could be attributed\nto noncompliance with 3 security controls:\n   \xe2\x80\xa2   Incidents related to malicious code protection - 333 (29 percent).\n   \xe2\x80\xa2   Incidents related to user-installed software - 133 (11 percent).\n   \xe2\x80\xa2   Incidents related to spam and spyware protection - 118 (10 percent).\nFor each affected computer, the Computer Security Incident Response Center prepared requests\nto have the malicious code, unauthorized software, or spyware removed or to have the system\nrestored. However, it determined that none of the findings warranted inclusion in a POA&M.\nFor the second quarter of Fiscal Year 2007, the Computer Security Incident Response Center\nreported that malicious code accounted for 46 percent of all incidents, with several systems being\naffected daily. Although malicious code and other violations were detected, the IRS did not\nalways use this information to determine the underlying weaknesses that contributed to their\nexistence or prepare corrective action plans for improving controls. Without proper analysis of\nincident statistics, the IRS cannot adequately monitor trends that may identify common\nunderlying weaknesses or security controls that need improvement, thus increasing the risk of\nsecurity breaches.\n\nFederal Government requirements for continuous monitoring of system security\ncontrols have yet to be implemented\nThe Guide for the Security Certification and Accreditation of Federal Information Systems\n(NIST Special Publication 800-37) requires Federal Government agencies to certify and accredit\ninformation systems every 3 years or when significant changes are made to a system. To certify\na system, agencies must test the security controls to ensure that they are working effectively. A\ncritical part of this process is the continuous monitoring of the security controls in the\nintervening years.\nThe Recommended Security Controls for Federal Information Systems (NIST Special\nPublication 800-53) requires a risk-based selection of controls to be tested annually to inform\nsystem owners about the status of security controls and identify controls that may not be\noperating as intended. Those security controls that are volatile or critical to protecting the\nsystem are to be assessed at least annually. All other controls are to be assessed at least once\nduring the system\xe2\x80\x99s 3-year accreditation cycle. The Guide for Assessing the Security Controls in\nFederal Information Systems (NIST Special Publication 800-53a) should be used in assessing the\neffectiveness of the controls.\nThe Cybersecurity organization placed a workbook developed by the Department of the Treasury\non its FISMA webpage to assist system owners in selecting and documenting their annual testing\nof NIST controls. The workbook provides descriptions of controls and selection criteria.\nHowever, in our Fiscal Year 2007 FISMA report, we reported that the IRS had not made\n\n                                                                                           Page 6\n\x0c                Improvements Are Needed to the Information Security Program\n                                   Governance Process\n\n\n\nsufficient progress in properly implementing annual testing of security controls as part of its\ncontinuous monitoring efforts. Of the 20 information systems reviewed, only 5 (25 percent) met\nbasic annual testing requirements. Each of the five systems was certified in Fiscal Year 2007\nand underwent a thorough system test and evaluation as part of the certification process. System\nowners for the remaining 15 systems did not select controls to be tested using a risk-based\napproach, and the scopes of the tests were not sufficient to determine whether controls were\nworking effectively.\nWe attribute the noncontinuous monitoring in the IRS to a lack of oversight to ensure that the\nsystem owners are held accountable for implementing the process. In addition, the\nCybersecurity organization has not provided adequate direction to system owners on how to\nimplement the process. Without proper implementation and testing of system controls, system\nowners cannot monitor the current status of their information systems or identify weaknesses that\nneed to be resolved.\n\nMeasures and metrics are not used to monitor the effectiveness of the security\nprogram or investments\nMetrics are tools designed to improve performance and accountability through the collection,\nanalysis, and reporting of relevant performance-related data. For information security, the\nmetrics should provide a means to analyze the adequacy of security activities and identify\npossible improvement actions.\nThe Security Metrics Guide for Information Technology Systems (NIST Special\nPublication 800-55) provides guidance on how, by using metrics, an organization could identify\nthe adequacy of existing security controls, controls, and procedures. It provides an approach to\nhelp management decide where to invest in security protection resources and how to identify and\nevaluate nonproductive controls.\nFederal laws also require agencies to establish performance measures for information technology\ninvestments and to annually report performance information in business cases to the Office of\nManagement and Budget to justify continued funding. The Office of Management and Budget\nreviews performance data to verify that only sound and cost-effective investments remain in the\nIRS information technology portfolio.\nThe IRS primarily uses the annual FISMA program as a tool for evaluating the effectiveness of\nits information security program. The FISMA requires Federal Government agencies to:\n   \xe2\x80\xa2   Plan for security.\n   \xe2\x80\xa2   Ensure that appropriate officials are assigned security responsibilities.\n   \xe2\x80\xa2   Periodically review the security controls in their information systems.\n   \xe2\x80\xa2   Certify and accredit a system prior to its starting operations and periodically after the\n       system is deployed.\n\n\n                                                                                              Page 7\n\x0c                Improvements Are Needed to the Information Security Program\n                                   Governance Process\n\n\n\nAlthough the FISMA provides various security metrics, it does not fulfill all performance\nmeasurement requirements established by NIST Special Publication 800-55. In addition, the IRS\nbusiness case for justifying its $77 million budget request for Fiscal Year 2008 did not provide\nplanned or actual performance metrics for determining program effectiveness.\nThe Cybersecurity organization indicated it was waiting for the Department of the Treasury to\nprovide guidance on developing additional performance measures. We acknowledge that metrics\nare generally helpful only to identify problems. For example, metrics may be developed to\nidentify the number of security incidents, the number of weaknesses on POA&Ms that were not\ncorrected on time, or the number of security settings that do not comply with configuration\nstandards. Additional analysis will have to be done to identify the root causes of anomalies so\nthe appropriate corrective actions can be identified.\nWhile the Cybersecurity organization is primarily responsible for monitoring compliance with\ninformation security procedures and NIST guidance, the Modernization and Information\nTechnology Services organization and each of the business functions are responsible for\nimplementing the security guidance. In a bureau as large and diverse as the IRS, it is difficult for\none office, such as the Cybersecurity organization, to enforce the implementation of its guidance\nacross organizational lines. Thus, the IRS has taken insufficient actions to monitor and enforce\ncompliance, resulting in weaknesses that put the security and privacy of taxpayer information at\nrisk.\nTo assist and support the Cybersecurity organization, the Security Services and Privacy\nExecutive Steering Committee should take a more active role in monitoring and enforcing\ncompliance with information security guidance. This Committee consists of executives from the\nbusiness and functional organizations who can provide different perspectives and furnish the\nauthority needed to enforce security guidance. The Committee has already demonstrated success\nin implementing encryption on nearly all IRS laptop computers. We consider this action to be a\nsignificant accomplishment, particularly because it required the cooperation of all IRS business\nunits. By assigning to this Committee accountability for regularly following up on the methods\nsuggested by the NIST in monitoring security, the IRS could gain a clearer picture of its security\nposture at any given time and ultimately be in a better position to make informed decisions on\nimplementing and enforcing the proper security standards and controls.\n\nRecommendations\nThe Chief Information Officer, through the Security Services and Privacy Executive Steering\nCommittee, should:\nRecommendation 1: Require system owners to regularly report to the Committee on progress\nin addressing POA&M items. On a sample basis, the Committee should require system owners\nto provide documentation to demonstrate that corrective actions were adequate to resolve\nweaknesses.\n\n                                                                                             Page 8\n\x0c               Improvements Are Needed to the Information Security Program\n                                  Governance Process\n\n\n\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation. The\n       Cybersecurity organization has developed a FISMA Dashboard to provide the current\n       status of each FISMA activity, including progress on POA&Ms, at every Security\n       Services and Privacy Executive Steering Committee meeting. The Cybersecurity\n       organization will give additional focus to POA&Ms by adding an agenda item to the\n       meeting for business units to report the progress on their open POA&M items.\nRecommendation 2: Require the Cybersecurity organization to improve the verification of\ncompliance with standard configurations by:\n   \xe2\x80\xa2   Executing compliance checker tools and vulnerability scans more frequently than\n       quarterly. Results should be provided to the Chief Information Officer and the Security\n       Services and Privacy Executive Steering Committee.\n   \xe2\x80\xa2   Extending scanning to evaluate database security.\n   \xe2\x80\xa2   Including the results of scans in POA&Ms until issues are resolved.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation. The\n       Cybersecurity organization will conduct scans once every 6 weeks to identify\n       noncompliance with IRS standards for security configuration compliance and\n       vulnerability management. In addition, it will extend scanning to evaluate database\n       security, report scan results to both the Chief Information Officer and the Security\n       Services and Privacy Executive Steering Committee, and track results in POA&Ms until\n       issues are resolved.\nRecommendation 3: Analyze the incidents reported to the Computer Security Incident\nResponse Center to identify common or systemic underlying weaknesses that contributed to\nthese incidents and track corrective actions in the appropriate POA&M.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation. The\n       Computer Security Incident Response Center, based on reported incidents, will prepare\n       quarterly trend reports that identify common or systemic underlying weaknesses that\n       contribute to these incidents, incorporate and track these weaknesses in the appropriate\n       POA&Ms until resolved, and provide this information to the Security Services and\n       Privacy Executive Steering Committee.\nRecommendation 4: Ensure that system owners prepare continuous monitoring plans that\nimplement annual testing of system controls compliant with NIST Special Publications 800-53\nand 800-53A. The testing should include closed POA&M items and other volatile controls. On\na sample basis, the Committee should ensure that adequate documentation is maintained to\nsupport the test results and closure of POA&M items.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation. The\n       IRS enterprise continuous monitoring approach requires that system owners prepare\n       Continuous Monitoring Plans in compliance with NIST Special Publications 800-53 and\n\n                                                                                         Page 9\n\x0c                Improvements Are Needed to the Information Security Program\n                                   Governance Process\n\n\n\n       800-53A. This approach requires that testing include closed POA&M items and other\n       volatile controls. The business owner will include the closed POA&M items in its annual\n       testing. The business owner is responsible for planning and performing testing,\n       documenting the results, and collecting and posting the evidence to the Department of the\n       Treasury for tracking and reporting purposes.\n       The Cybersecurity organization will develop a process to validate that the system owners\n       are following the enterprise continuous monitoring approach. This approach includes\n       sampling and validating closed POA&M items by evaluating the test results and\n       presenting the results to the Security Services and Privacy Executive Steering Committee.\nRecommendation 5: Develop quantifiable security metrics based on IRS information\nsecurity goals and objectives. The Cybersecurity organization should analyze anomalies for root\ncauses and report its results regularly to the Committee.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation. The\n       Cybersecurity organization will develop a process and collect quantifiable security\n       metrics based on IRS security goals and objectives. It will analyze these metrics for the\n       root causes of anomalies and report the results of the analyses to the Security Services\n       and Privacy Executive Steering Committee.\n\nInformation Security Guidance Is Adequate, but Procedures Remain\nFragmented and Difficult to Locate\nDeveloping and documenting adequate security guidance is crucial for effective governance\nbecause it is the primary means by which management communicates its views and\nrequirements. NIST Special Publication 800-100 covers 12 key aspects of information security\nthat information security managers are expected to implement and oversee in their respective\norganizations. These 12 security areas were identified by the NIST as key elements in an\ninformation security governance program:\n   1. System development life cycle.\n   2. Awareness and training.\n   3. Capital planning.\n   4. Interconnecting systems.\n   5. Performance measures.\n   6. Security planning.\n   7. Information technology contingency planning.\n   8. Risk management.\n   9. Certification, accreditation, and security assessments.\n   10. Security services and products acquisition.\n   11. Incident response.\n   12. Configuration management.\n\n                                                                                         Page 10\n\x0c                  Improvements Are Needed to the Information Security Program\n                                     Governance Process\n\n\n\nWe compared the NIST security standards for each of the 12 security areas to the information\nsecurity guidance developed by the Cybersecurity organization. In general, the Cybersecurity\norganization has made significant progress in developing effective information security guidance\nthat meets NIST standards for 9 of the 12 security areas.\nThe Cybersecurity organization is responsible for developing the security guidance for the\n12 security areas. In some instances, it must work with other organizations to provide security\nguidance. For example, coordination is needed with other Modernization and Information\nTechnology Services organizations to develop guidance for system development life cycle and\ncapital planning. Coordination with the Agency-Wide Shared Services organization is required\nto develop guidance for acquisitions.\nHowever, certain sections of the security procedures and controls set by these organizations were\nnot current or complete. In particular, the Modernization and Information Technology Services\nand Agency-Wide Shared Services organizations\xe2\x80\x99 guidance did not include all necessary security\nconsiderations to meet NIST standards and, sometimes, made references to obsolete security\nstandards and controls. Additionally, this guidance was not maintained with the information\nsecurity guidance developed by the Cybersecurity organization. Instead, it was maintained\nseparately within other Internal Revenue Manual sections.10\nTo be effective, guidance must be communicated to those who need it. We found it difficult to\nlocate security policies and procedures. During two other reviews, we found instances in which\nemployees were unaware of updated security guidance, how to locate it, and/or where to locate\nit. In a recent audit of IRS database security configurations, we identified cases in which IRS\nemployees with key security responsibilities for database security configurations did not know of\ncurrent IRS standards for these configurations.11 We reviewed the controls and found the lack of\nawareness contributed to databases failing 30 percent of the over 800 security controls tested.\nIn another review of access controls over system administrator user accounts, we determined\nsystem administrators interviewed in April 2007 were unaware of the information security\nguidance to change passwords more frequently.12 The Cybersecurity organization had\nestablished this guidance in December 2005. IRS employees possessing critical computer\nsystem responsibilities expressed dissatisfaction with or lack of knowledge about where to locate\ncurrent security guidance.\nThe Cybersecurity organization\xe2\x80\x99s web site does not include a direct link to security guidance.\nUsers must access different links to locate the webpage that contains security guidance. In\n\n10\n   The Internal Revenue Manual serves as the IRS\xe2\x80\x99 official source to communicate security guidance to employees\nand contractors.\n11\n   Standard Database Security Configurations Are Adequate, Although Much Work Is Needed to Ensure Proper\nImplementation (Reference Number 2007-20-129, dated August 22, 2007).\n12\n   Effectiveness of Access Controls Over System Administrator User Accounts Can Be Improved (Reference\nNumber 2007-20-161, dated September 19, 2007).\n                                                                                                        Page 11\n\x0c                Improvements Are Needed to the Information Security Program\n                                   Governance Process\n\n\n\naddition, the Cybersecurity organization maintains security updates or interim guidance on a\ndifferent webpage, thus increasing the risk that recently developed security controls will be\noverlooked.\nThe confusion caused by maintaining guidance in multiple locations and the difficulty in finding\nthe guidance on the web site increase the likelihood that employees and contractors could\nunknowingly create security weaknesses that result in security breaches. We believe the current\nprocess used to provide security guidance needs to be streamlined.\n\nRecommendations\nThe Associate Chief Information Officer, Cybersecurity, should:\nRecommendation 6: Coordinate with other executives in the Modernization and Information\nTechnology Services organization to include complete NIST-compliant security guidance\nregarding the system development life cycle and capital planning. Coordination is also required\nwith the Chief, Agency-Wide Shared Services, to develop complete security guidance regarding\nthe acquisition of services.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation. The\n       Cybersecurity organization will work with other organizations in the Modernization and\n       Information Technology Services organization and the business units to include\n       NIST-compliant security guidance in both the system development life cycle and capital\n       planning processes. It will work with the Agency-Wide Shared Services organization to\n       develop appropriate security contractual guidance and processes for acquisition of\n       information technology and services.\nRecommendation 7: Improve the Cybersecurity organization Intranet web site to facilitate\neasy access to current information security guidance. The web site should provide direct links to\nNIST guidance.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation. The\n       Cybersecurity organization is redesigning its web site to give internal and external\n       customers a tool that will be focused on sharing security information and services. It will\n       add a direct link to NIST guidance as a new feature of the web site redesign.\nRecommendation 8: Develop a system to notify employees and contractors of changes in\nsecurity guidance.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation. The\n       Cybersecurity organization will distribute and report changes in security guidance\n       through the distribution list of the Security Services and Privacy Executive Steering\n       Committee where all IRS offices are represented. The details in the guidance will specify\n       applicability to contractors. The Cybersecurity organization will also work with the\n\n                                                                                          Page 12\n\x0c        Improvements Are Needed to the Information Security Program\n                           Governance Process\n\n\n\nAgency-Wide Shared Services organization Procurement Office and with all IRS offices\nto ensure distribution of the security guidance to IRS contractors through the Contracting\nOfficer\xe2\x80\x99s Technical Representatives.\n\n\n\n\n                                                                                  Page 13\n\x0c                  Improvements Are Needed to the Information Security Program\n                                     Governance Process\n\n\n\n                                                                                               Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS monitored compliance\nwith security policies and procedures and developed sufficient information security guidance.\nTo accomplish this objective, we:\nI.      Determined whether the Cybersecurity organization had implemented adequate processes\n        to ensure agency-wide compliance with security guidance.\n        A. Determined whether the Cybersecurity organization had defined security roles and\n           responsibilities for key leadership positions specified in the NIST1 Information\n           Security Handbook (Special Publication 800-100) to promote, issue, and enforce\n           information security guidance within the IRS. We compared NIST standards to the\n           roles and responsibilities set forth in the Internal Revenue Manual.2\n        B. Determined what actions had been taken by the Cybersecurity organization to ensure\n           compliance with security controls and procedures.\n        C. Reviewed actions taken to ensure that security guidance issued by the Cybersecurity\n           organization had been followed and determined whether those actions were effective.\nII.     Determined whether the Cybersecurity organization had developed sufficient and timely\n        guidance to ensure an effective information security governance program. We reviewed\n        NIST Special Publication 800-100, Treasury Information Technology Security Program\n        Directive 85-01, the Internal Revenue Manual, and other Federal Government guidance\n        and obtained information on security program standards.\n        A. Determined whether the Cybersecurity organization had developed adequate\n           procedures for security areas specified in NIST Special Publication 800-100 and\n           compared NIST standards to Cybersecurity organization information security\n           guidance in the Internal Revenue Manual.\n        B. Determined who was responsible for issuing security controls and procedures in the\n           Cybersecurity organization and how long it took for security guidance to be issued.\n\n\n\n\n1\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for\nproviding adequate information security for all Federal Government agency operations and assets.\n2\n  The Internal Revenue Manual serves as the IRS\xe2\x80\x99 official source to communicate security guidance to employees\nand contractors.\n                                                                                                        Page 14\n\x0c               Improvements Are Needed to the Information Security Program\n                                  Governance Process\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nMichelle Griffin, Audit Manager\nCari Fogle, Senior Auditor\nJody Kitazono, Senior Auditor\nAbraham Millado, Senior Auditor\nStasha Smith, Senior Auditor\n\n\n\n\n                                                                                     Page 15\n\x0c               Improvements Are Needed to the Information Security Program\n                                  Governance Process\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief, Agency-Wide Shared Services OS:A\nDirector, Program Oversight OS:CIO:SM:PO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Controls OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief, Agency-Wide Shared Services OS:A\n       Chief Information Officer OS:CIO\n\n\n\n\n                                                                       Page 16\n\x0c    Improvements Are Needed to the Information Security Program\n                       Governance Process\n\n\n\n                                                   Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 17\n\x0cImprovements Are Needed to the Information Security Program\n                   Governance Process\n\n\n\n\n                                                      Page 18\n\x0cImprovements Are Needed to the Information Security Program\n                   Governance Process\n\n\n\n\n                                                      Page 19\n\x0cImprovements Are Needed to the Information Security Program\n                   Governance Process\n\n\n\n\n                                                      Page 20\n\x0cImprovements Are Needed to the Information Security Program\n                   Governance Process\n\n\n\n\n                                                      Page 21\n\x0cImprovements Are Needed to the Information Security Program\n                   Governance Process\n\n\n\n\n                                                      Page 22\n\x0c'